Securing Windows Server 2008: Prevent Attacks from Outside and Inside Your Organization

Securing Windows Server 2008

Prevent Attacks from Outside and Inside Your Organization

Aaron Tiensivu

Copyright

© 2008 by Elsevier, Inc. All rights reserved.

Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively Makers) of this book (the Work) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, Career Advancement Through Skill Enhancement®, Ask the Author UPDATE®, and Hack Proofing®, are registered trademarks of Elsevier, Inc. Syngress: The Definition of a Serious Security Library™, Mission Critical™, and The Only Way to Stop a Hacker is to Think Like One™ are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

PUBLISHED BY

Syngress Publishing, Inc.

Elsevier, Inc.

30 Corporate Drive

Burlington, MA 01803

Securing Windows Server 2008

Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

Publisher: Andrew Williams Page Layout and Art: SPI

Copy Editor: Mike McGee Indexer: Odessa & Cie

Project Manager: Gary Byrne Cover Designer: Michael Kavish

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; emailm.pedersen@elsevier.com

Brief Table of Contents

Copyright

Brief Table of Contents

Table of Contents

List of Figures

List of Tables

Contributing Authors

Chapter 1. Microsoft Windows Server 2008

Chapter 2. Microsoft Windows Server 2008

Chapter 3. Microsoft Windows Server 2008

Chapter 4. Microsoft Windows Server 2008

Chapter 5. Microsoft Windows Server 2008

Chapter 6. Microsoft Windows Server 2008

Chapter 7. Microsoft Windows Server 2008

Chapter 8. Configuring Windows Server Hyper-V and Virtual Machines

Chapter 9. Microsoft Windows Server 2008

Table of Contents

Copyright

Brief Table of Contents

Table of Contents

List of Figures

List of Tables

Contributing Authors

Chapter 1. Microsoft Windows Server 2008

Introduction

Server Manager

Using Server Manager to Implement Roles

Server Core

Using Server Core and Active Directory

Uses for Server Core

Active Directory Certificate Services

Configuring a Certificate Authority

Request a Certificate from a Web Server

Certificate Practice Statement

Key Recovery

Active Directory Domain Services

What Is New in the AD DS Installation?

Summary

Solutions Fast Track

Server Manager

Server Core

Active Directory Certificate Services

Active Directory Domain Services

Frequently Asked Questions

Chapter 2. Microsoft Windows Server 2008

Introduction

What Is PKI?

The Function of the PKI

Components of PKI

How PKI Works

Public Key Functionality

Digital Certificates

User Certificates

Machine Certificates

Application Certificates

Working with Certificate Services

Backing Up Certificate Services

Restoring Certificate Services

Assigning Roles

Enrollments

Revocation

Working with Templates

General Properties

Request Handling

Cryptography

Subject Name

Issuance Requirements

Security

Types of Templates

Creating a Custom Template

Securing Permissions

Versioning

Key Recovery Agent

Summary

Solutions Fast Track

What Is PKI?

Digital Certificates

Working with Certificate Services

Working with Templates

Creating a Custom Template

Frequently Asked Questions

Chapter 3. Microsoft Windows Server 2008

Introduction

Configuring Audit Policies

Logon Events

Directory Service Access

Fine-Grain Password and Account Lockout Policies

Read-Only Domain Controllers (RODCs)

Introduction to RODC

Configuring RODC

Removing an RODC

Digital Rights Management Service

Summary

Solutions Fast Track

Configuring Audit Policies

Fine-Grain Password and Account Lockout Policies

Read-Only Domain Controllers (RODCs)

Configuring Active Directory Rights Management Services

Frequently Asked Questions

Chapter 4. Microsoft Windows Server 2008

Introduction

Network Policy Server

Configuring Policies and Settings for NAP Enforcement Methods in NPS

Network Policy and Access Services Role

NTLMv2 and Kerberos Authentication

802.1x Wired and Wireless Access

WLAN Authentication Using 802.1x and 802.3

Configuring 802.1x Settings in Windows Server 2008

Configuring Wireless Access

Set Service Identifier (SSID)

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access 2 (WPA2)

Ad Hoc vs. Infrastructure Mode

Wireless Group Policy

Summary

Solutions Fast Track

Network Policy Server

Network Policy and Access Services Role

802.1x Wired and Wireless Access

Frequently Asked Questions

Chapter 5. Microsoft Windows Server 2008

Introduction

BitLocker

Trusted Platform Modules

Full Volume Encryption

Startup Process Integrity Verification

Recovery Mechanisms

Remote Administration

Secure Decommissioning

BitLocker Architecture

Keys Used for Volume Encryption

Hardware Upgrades on BitLocker Protected Systems

BitLocker Authentication Modes

When to Use BitLocker on a Windows 2008 Server

Support for Multifactor Authentication on Windows Server 2008

Enabling BitLocker

Installing BitLocker on Windows Server 2008

Turning on and Configuring BitLocker

Administration of BitLocker

Enabling Group Policy Settings for BitLocker and TPM Active Directory Backup

Recovering Data

Disabling BitLocker

Active Directory Rights Management Services

Managing Trust Policies

Configuring Policy Templates

Managing Your AD RMS Cluster

Reporting

Transport Security

Adding a New Security Certificate

Authentication

Authorization

URL Authorization

IP Authorization

Request Filtering

.NET Trust Levels

Summary

Solutions Fast Track

BitLocker

Active Directory Rights Management Services

Authorization

Frequently Asked Questions

Chapter 6. Microsoft Windows Server 2008

Introduction

Not Your Father's TCP/IP Stack

Introduction of IPv6 and Dual Stack

Configuring IPv6 Settings

Using the Network and Sharing Center

Using Network Map

Connect to a Network

Manage Network Connections

Managing Wired Connections

Managing Wireless Connections

Changing from a Private to a Public Network Location

Other Troubleshooting Methods

Summary

Solutions Fast Track

Not Your Father's TCP/IP Stack

The Network and Sharing Center

Network Map

Frequently Asked Questions

Chapter 7. Microsoft Windows Server 2008

Introduction

Server Core Features

Server Core Has Minimal Attack Vector Opportunities

Server Core Requires Less Software Maintenance

Server Core Uses Less Disk Space for Installation

Server Core Components

What Is There?

Which Roles Can Be Installed?

What Is Missing?

Server Core Best Practices

Installing Software

Changing Background Settings and More

Enabling remote cmd.exe with Terminal Services

Changing the Command Prompt

Administrating Server Core with RDP

Creating Batch Menus

Combining Server Core, Read-Only Domain Controller, and BitLocker

Server Core Administration

Installing Server Core

Configuring Server Core

Administrating Server Core

Remote Server Administration Tools (RSAT)

Winrm/winrs

Managing Server Core with Group Policy

PowerShell

Installing Active Directory Domain Services on Server Core

Summary

Solutions Fast Track

Server Core Features

Server Core Components

Server Core Best Practices

Server Core Administration

Frequently Asked Questions

Chapter 8. Configuring Windows Server Hyper-V and Virtual Machines

Introduction

Advancing Microsoft's Strategy for Virtualization

Understanding Virtualization

Understanding the Components of Hyper-V

Configuring Virtual Machines

Installing Hyper-V

Installing and Managing Hyper-V on Windows Server Core Installations

Virtual Networking

Virtualization Hardware Requirements

Virtual Hard Disks

Adding Virtual Machines

Installing Hyper-V and Creating Virtual Machines

Migrating from Physical to Virtual Machines

Planning a P2V Migration

Backing Up Virtual Machines

Backing Up a Virtual Hard Drive

Virtual Server Optimization

Summary

Solutions Fast Track

Configuring Virtual Machines

Migrating from Physical to Virtual Machines

Backing Up Virtual Machines

Virtual Server Optimization

Frequently Asked Questions

Chapter 9. Microsoft Windows Server 2008

Introduction

Terminal Services RemoteApp

Configuring TS RemoteApp

Terminal Services Gateway

Terminal Services Web Access

Configuring TS Remote Desktop Web Connection

Summary

Solutions Fast Track

Terminal Services RemoteApp

Terminal Services Gateway

Terminal Services Web Access

Frequently Asked Questions

List of Figures

Figure 1.1. Server Manager

Figure 1.2. Opening Server Manager

Figure 1.3. List of Server Roles

Figure 1.4. The Installation Summary Confirmation Screen

Figure 1.5. The Server Core Console

Figure 1.6. Setting an IP Address in Server Core

Figure 1.7. Installing Directory Services in Server Core

Figure 1.8. Setting an IP Address in Server Core

Figure 1.9. Using the dnscmd Utility

Figure 1.10. A Windows Server 2008 Certificate Field and Values

Figure 1.11. A Windows Server 2008 Certificate Field and Values

Figure 1.12. Certificates Snap-in

Figure 1.13. Before You Begin

Figure 1.14. Request Certificates

Figure 1.15. Certificate Installation Results

Figure 1.16. Welcome Screen of the CA's Web Site

Figure 2.1. Public / Private Key Data Exchange

Figure 2.2. Digital Signatures

Figure 2.3. A Windows Server 2008 Certificate

Figure 2.4. Certificate Authority Page

Figure 2.5. Items to Back Up

Figure 2.6. Completing the CA Backup Wizard

Figure 2.7. Certificate Authority page

Figure 2.8. Items to Restore

Figure 2.9. Completing the CA Restore Wizard

Figure 2.10. Certification Authority Restore Wizard

Figure 2.11. Extensions Tab of the CA Property Sheet

Figure 2.12. Certificate Templates Snap-in

Figure 2.13. General Tab of the New Template Property Sheet

Figure 2.14. Request Handling Tab of the New Template Property Sheet

Figure 2.15. Cryptography Tab

Figure 2.16. Subject Name Tab of the New Template Property Sheet

Figure 2.17. Issuance Requirements Tab of the New Template Property Sheet

Figure 2.18. Superseded Templates Tab of the New Template Property Sheet

Figure 2.19. Extensions Tab of the New Template Property Sheet

Figure 2.20. Security Tab of the New Template Property Sheet

Figure 2.21. Creating a Custom Template

Figure 2.22. Creating a Custom Template

Figure 2.23. Creating a Custom Template

Figure 2.24. Recovery Agents Tab of the CA Property Sheet

Figure 3.1. Auditing Policies

Figure 3.2. Auditing Configuration Options

Figure 3.3. The Properties Dialog

Figure 3.4. The Advanced Security Settings Dialog

Figure 3.5. The Auditing Entry Dialog

Figure 3.6. Bringing Up the Connections Settings Dialog

Figure 3.7. The Name: Text Box

Figure 3.8. Creating the New Object in ADSI Edit

Figure 3.9. Selecting the msDS-PasswordSettings Option

Figure 3.10. Entering the PSO Name

Figure 3.11. Configuring the Fine-grain Settings

Figure 3.12. The More Attributes Button

Figure 3.13. Associating Users and Global Security Groups

Figure 3.14. The ADSI Utility

Figure 3.15. Opening the Properties for the PSO

Figure 3.16. The Attribute Editor Tab

Figure 3.17. The Multi-valued Distinguished Name with Security Principal Editor Window

Figure 3.18. Confirming Installation Selections

Figure 3.19. The Summary Page

Figure 3.20. Setting Account Credentials

Figure 4.1. NPS and NAP Health Policy Overview

Figure 4.2. NPS Policy Configuration

Figure 4.3. Network Policy and Access Services Server Manager Interface

Figure 4.4. Choosing the NPS Role

Figure 4.5. Overview Screen on NPS

Figure 4.6. Components of 802.1x

Figure 4.7. 802.1x Settings on Wired Windows XP SP2 Client

Figure 4.8. New Vista Wired Network Policy Properties Security Tab

Figure 4.9. Advanced Settings for New Vista Wired Network Policy Properties

Figure 5.1. Startup Component Integrity Verifi cation Flowchart

Figure 5.2. Filter Driver Inserted into the File System Stack

Figure 5.3. Keys Used for Volume Encryption

Figure 5.4. Accessing a BitLocker-Enabled Disk That Is Secured with TPM + PIN

Figure 5.5. BitLocker Refuses to Confi gure the System Due to an Invalid Partition Scheme

Figure 5.6. Selecting the BitLocker Feature in Server Manager

Figure 5.7. Warning That a TPM Is Missing or Incompatible

Figure 5.8. The Server Is Ready to Turn on BitLocker

Figure 5.9. Saving the BitLocker Password

Figure 5.10. Error Enabling BitLocker

Figure 5.11. Enabling TPM-less Operation in the Local Group Policy

Figure 5.12. USB Startup Key Selection Screen

Figure 5.13. Schema Extension Output

Figure 5.14. AD RMS

Figure 5.15. The Exclude Application Dialog

Figure 5.16. The User Request Analysis Report

Figure 5.17. Server Certifi cates Module Confi guration

Figure 5.20. Internet Explorer Address Bar of a Site Using Extended Validation Certifi cate

Figure 5.18. Distinguished Name Properties Page

Figure 5.19. Cryptographic Service Provider Page

Figure 5.21. Add Site Binding Dialog

Figure 5.22. SSL Settings Module Confi guration

Figure 5.23. Authentication Module Confi guration

Figure 5.24. Edit Forms Authentication Settings Dialog

Figure 5.25. Add Allow Authorization Rule Dialog

Figure 5.26. Server-Side Version of Unauthorized Page Access Error Message

Figure 5.27. Add Allow Restriction Rule Dialog with Domain Restrictions Enabled

Figure 6.1. Server Manager on Windows Server 2008

Figure 6.2. The Network Connections Control Panel

Figure 6.3. Selecting a Connection

Figure 6.4. Local Area Connection Properties

Figure 6.5. IPv6 Properties

Figure 6.6. The Network and Sharing Center

Figure 6.7. Shares Available on a Computer Device

Figure 6.8. Connecting to a Network

Figure 6.9. Selecting a Type of Network Connection

Figure 6.10. Options for a VPN Connection

Figure 6.11. Entering the Address of Your Destination

Figure 6.12. Working with Network Hardware Settings

Figure 6.13. The Diagnose and Repair Link

Figure 6.14. Wired and Wireless Connections: Large Icon View

Figure 6.15. WPA2 Passphrase for an Ad Hoc Network Set Up in Windows Server 2008

Figure 6.16. Internet Connection Sharing with Ad Hoc Network Set Up

Figure 6.17. Changing the Network Type to Public

Figure 7.1. The Server Core Console

Figure 7.2. Counting the Number of Services on a Server Core Machine

Figure 7.3. Notepad on a Server Core Machine

Figure 7.4. Changing the Screensaver in Server Core

Figure 7.5. Installing Terminal Services on a Full Windows 2008 Installation

Figure 7.6. Remotely Connected to a Server Core Machine with TS RemoteApp Manager

Figure 7.7. Changing the Look of the Command Prompt

Figure 7.8. What's Displayed in a Batch File

Figure 7.9. Installation Options for Server Core

Figure 7.10. Configuring IP Addressing on Server Core

Figure 7.11. Configuring Windows Firewall on Server Core from a Regular Windows 2008 Server

Figure 7.12. Changing the Regional and Language Options

Figure 7.13. Changing the Regional and Language Options

Figure 7.14. A WINRM Error

Figure 7.15. A Simple Unattended File

Figure 7.16. The Active Directory Domain Services Installation Wizard

Figure 8.1. Viewing the Components of Hyper-V

Figure 8.2. Adding Hyper-V on the Specific Server Roles Page

Figure 8.3. New Virtual Hard Disk Wizard

Figure 8.4. Hyper-V Manager

Figure 8.5. Configuring a Virtual Processor

Figure 8.6. Volume Shadow Copy Service (VSS) Utility for Windows Server 2008

Figure 8.7. Configuring the VSS

Figure 8.8. System Center Operations Manager (SCOM) 2007

Figure 9.1. Windows 2008 Control Panel Option to Install Applications on Terminal Server

Figure 9.2. Installing Applications on Terminal Server

Figure 9.3. Terminal Server Application Wizard Transferring Control to Application

Figure 9.4. Windows 2008 System Tool

Figure 9.5. Remote Desktop Configuration

Figure 9.6. RDP Users Configuration

Figure 9.7. TS RemoteApp Manager

Figure 9.8. Choosing Applications for Remote Access

Figure 9.9. Configuration Applications for Remote Access

Figure 9.10. TS Gateway Server Deployment Scenario

Figure 9.11. TS Gateway Server Deployment Scenario

Figure 9.12. TS Web Access Configuration

Figure 9.13. Applications Through TS Web Access

Figure 9.14. RemoteApp Warning Message

Figure 9.15. ActiveX Error Message

Figure 9.16. Remote Desktop Configurations on TS Web Access

List of Tables

Table 1.1. Partial List of Additional Server Manager Features

Table 1.2. X.509 Certificate Data

Table 5.1. Overview of Windows Server 2008 BitLocker Group Policy Settings

Table 5.2. Attributes Associated with the msFVW-RecoveryInformation Objects

Table 5.3. Security Features Available for Windows Server 2008

Table 7.1. Available and Unavailable Roles and Features on Server Core

Table 7.2. msiexec Command-Line Parameters

Table 7.3. MMC Snap-ins and the Corresponding Firewall Rule Groups

Table 7.4. Command-Line Options for ocsetup.exe

Table 8.1. Key Combinations

Contributing Authors

Dale Liu (CISSP, IAM, IEM, MCSE—Security, MCT) is a senior systems analyst, consultant, and trainer for Computer Revolution Enterprises. He has performed system administration, design, security analysis, and consulting for companies around the world. He currently resides in Houston, TX.

Remco Wisselink (MCT, MCSE NT4, 2000 and 2003, MCSE+messaging 2000 and 2003, MCSE+security 2000 and 2003, CCA, CCEA, SCP, and Multiple Certifications on MCTS and MCTIP) is a consultant working for the company IT-to-IT in the Netherlands. Remco has more then 10 years of experience in IT business and has multiple specialties, including ISA, Citrix, Softgrid, Exchange, and Microsoft Operating Systems in general like Windows Server 2008. Remco has been involved in several major infrastructure and mail migrations. Besides acting as a Microsoft Certified Trainer, he's also well known as a speaker on technical events.

Chapter 1. Microsoft Windows Server 2008 - An Overview

Solutions in this chapter:

Server Manager

Server Core

Active Directory Certificate Services

Active Directory Domain Services

Summary

Solutions Fast Track

Frequently Asked Questions

Introduction

With the introduction of new revisions to Microsoft products—for example, Windows, Exchange, and Communications Server—we have seen a trend toward roles within each product, as opposed to the various products being an all-in-one type of solution (as with Exchange 2007), or being additional features that work as a snap-in, such as DNS in Windows 2003.

With earlier versions of Windows Server 2000 or 2003, an Active Directory server was just that—an Active Directory server. What we are trying to say here is that it was more-or-less an all-or-nothing deal when creating a domain controller in Windows 2003. Very little flexibility existed in the way a domain controller could be installed, with the exception of whether a domain controller would also be a global catalog server or flexible single master operation (FSMO) server.

The new roles in Windows Server 2008 provide a new way for you to determine how they are implemented, configured, and managed within an Active Directory domain or forest. The new roles (and the official Microsoft definitions) are as follows:

Read-only domain controller (RODC) This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory database. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

Active Directory Lightweight Directory Service (ADLDS) Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies required for Active Directory Domain Services (ADDS). ADLDS provides much of the same functionality as ADDS, but does not require the deployment of domains or domain controllers.

Active Directory Rights Management Service (ADRMS) Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. ADRMS includes several new features that were available in Active Directory Rights Management Services (ADRMS). Essentially, ADRMS adds the ability to secure objects. For example, an e-mail can be restricted to read-only, meaning it cannot be printed, copied (using Ctrl + C, and so on), or forwarded.

Active Directory Federation Services (ADFS) You can use Active Directory Federation Services (ADFS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. Essentially, this allows cross-forest authentication to external resources—such as another company's Active Directory. ADFS was originally introduced in Windows Server 2003 R2, but lacked much of its now-available functionality.

These roles can be managed with Server Manager and Server Core. Discussing Server Core is going to take considerably longer, so let's start with Server Manager.

Server Manager

Server Manager is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version.

Using Server Manager to Implement Roles

Although we will be discussing Server Manager (Figure 1.1) as an Active Directory Management tool, it's actually much more than just that.

Figure 1.1. Server Manager

In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback.

Table 1.1 outlines some of the additional roles and features Server Manager can be used to control:

Table 1.1. Partial List of Additional Server Manager Features

Server Manager is enabled by default when a Windows 2008 server is installed (with the exception of Server Core). However, Server Manager can be shut off via the system Registry and can be re-opened at any time by selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 1.2).

Figure 1.2. Opening Server Manager

So, those are the basics of Server Manager. Now let's take a look at how we use Server Manager to implement a role. Let's take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).

Tools & Traps…

Using the Add Role Wizard

Notice in Figure 1.1 that the Server Manager window is broken into three different sections:

Provide Computer Information

Update This Server

Customize This Server

Under the Customize This Server section, click the Add Role icon. When the wizard opens, complete the following steps to install IIS onto the server.

Click the Add Roles icon.

At the Before You Begin window, read the information provided and then click Next.

From the list of server roles (Figure 1.3), click the check box next to Web Server (IIS) and then click Next.

Figure 1.3. List of Server Roles

If you are prompted to add additional required features, read and understand the features, and then click Add Required Features.

When you return to the Select Server Roles screen, click Next.

Read the information listed in the Introduction to Web Server (IIS) window and then click Next.

For purposes of this example, we will select all of the default Role Services and then click Next.

Review the Installation Summary Confirmation screen (Figure 1.4) and then click Install.

Figure 1.4. The Installation Summary Confirmation Screen

When installation is complete, click Close.

Notice that on the Server Manager screen, Web Server (IIS) is now listed as an installed role.

Configuring & Implementing…

Scripting vs. GUI

Sure, you can always use a wizard to implement a role, but you also have the option of using a script. Realistically speaking, it's generally not the most efficient way to deploy a role for a single server, however. Unless you are going to copy and paste the script, the chance of error is high in typing out the commands required. For example, take the following IIS script syntax:

start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures; IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors; IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility; IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes; IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-Request Monitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security; IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication; IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService; IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel; WAS-NetFxEnvironment;WAS-ConfigurationAPI

This script installs ALL of the IIS features, which may not be the preferred installation for your environment, and within the time it took to type it out, you may have already completed the GUI install!

Server Core

Server Core brings a new way not only to manage roles but also to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features.

Using Server Core and Active Directory

For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn heavy (too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core.

What Is Server Core?

What is Server Core, you ask? It's the just the facts, ma'am version of Windows 2008. Microsoft defines Server Core as a minimal server installation option for Windows Server 2008 that contains a subset of executable files, and five server roles. Essentially, Server Core provides only the binaries needed to support the role and the base operating systems. By default, fewer processes are generally running.

Server Core is so drastically different from what we have come to know from Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the past decade-plus, that it looks more like MS-DOS than anything else (Figure 1.5). With Server Core, you won't find Windows Explorer, Internet Explorer, a Start menu, or even a clock! Becoming familiar with Server Core will take some time. In fact, most administrators will likely need a cheat sheet for a while. To help with it all, you can find some very useful tools on Microsoft TechNet at http://technet2.microsoft.com/windowsserver2008/en/library/e7e522ac-b32f-42e1-b914-53ccc78d18161033.mspx?mfr=true. This provides command and syntax lists that can be used with Server Core. The good news is, for those of you who want the security and features of Server Core with the ease-of-use of a GUI, you have the ability to manage a Server Core installation using remote administration tools.

Figure 1.5. The Server Core Console

Before going any further, we should discuss exactly what will run on a Server Core installation. Server Core is capable of running the following server roles:

Note

Internet Information Server is Microsoft's brand of Web server software, utilizing Hypertext Transfer Protocol to deliver World Wide Web documents. It incorporates various functions for security, allows for CGI programs, and also provides for Gopher and FTP servers.

Active Directory Domain Services Role

Active Directory Lightweight Directory Services Role

Dynamic Host Configuration Protocol (DHCP)

Domain Name System (DNS) Services Role

File Services Role

Hyper-V (Virtualization) Role

Print Services Role

Streaming Media Services Role

Web Services (IIS) Role

Although these are the roles Server Core supports, it can also support additional features, such as:

Note

BitLocker Drive Encryption is an integral new security feature in Windows Server 2008 that protects servers at locations, such as branch offices, as well as mobile computers for all those roaming users out there. BitLocker provides offline data and operating system protection by ensuring that data stored on the computer is not revealed if the machine is tampered with when the installed operating system is offline.

Backup

BitLocker

Failover Clustering

Multipath I/O

Network Time Protocol (NTP)

Removable Storage Management

Simple Network Management Protocol (SNMP)

Subsystem for Unix-based applications

Telnet Client

Windows Internet Naming Service (WINS)

The concept behind the design Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off.

Installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a Standard Installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and End User License Agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.

Configuring & Implementing…

Configuring the Directory Services Role in Server Core

So let's put Server Core into action and use it to install Active Directory Domain Services. To install the Active Directory Domain Services Role, perform the following steps:

The first thing we need to do is set the IP information for the server. To do this, we first need to identify the network adapter. In the console window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column.

Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh interface ipv4 set address name= source=static address= mask= gateway= . ID represents the number from step 1, represents the IP address we will assign, represents the subnet mask, and represents the IP address of the server's default gateway. See Figure 1.6 for our sample configuration.

Figure 1.6. Setting an IP Address in Server Core

Assign the IP address